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Abstract: An important problem when modeling gene networks lies in the identi¬ 
fication of parameters, even if we consider a purely discrete framework as the one of 
Rene Thomas. Here we are interested in the exhaustive search of all parameter values 
that are consistent with observed behaviors of the gene network. We present in this 
article a new approach based on Hoare Logic and on a weakest precondition calculus 
to generate constraints on possible parameter values. Observed behaviors play the 
role of “programs” for the classical Hoare logic, and computed weakest precondi¬ 
tions represent the sets of all compatible parameterizations expressed as constraints 
on parameters. Finally we give a proof of correctness of our Hoare logic for gene 
networks as well as a proof of completeness based on the computation of the weakest 
precondition. 


1 Introduction 


Gene regulation is a complex process where the expression level of a gene at each time depends 
on a large amount of interactions with related genes. Hence regulations between genes can be 
seen as a gene network. Different methods for studying the behavior of such gene networks in 
a systematic way have been proposed. Among them, ordinary differential equations played an 
important role which however mostly lead to numerical simulations. Moreover, the nonlinear 
nature of gene regulations makes analytic solutions hard to obtain. Besides, the abstraction 
procedure of Rene Thomas |Tho91j . approximating sigmoid functions by step functions, makes 
it possible to describe the qualitative dynamics of gene networks as paths in a hnite state space. 
Nevertheless this qualitative description of the dynamics is governed by a set of parameters 
which remain difficult to be deduced from classical experimental knowledge. Therefore, even 
when modeling with the discrete approach of Rene Thomas, the main difficulty lies in the 
identification of these parameters. In this context, we are interested in the exhaustive search of 
parameter values which are consistent with specifications given by the observed behavior of gene 
regulatory networks. Because of the exponential number of parameterizations to consider, two 
main kinds of approaches have emerged. On the one hand, information about cooperation or 
concurrence between two regulators of a same target can be taken into account in order to reduce 
the number of parameterizations to consider, see for example |KCRB09| and also CT F + 09 
in which this notion of cooperation is treated via a grouping of states. On the other hand, 
using constraints can be helpful to represent the set of consistent parameterizations see for 
example |FCT+04l ICTF+091 IMGCLG07| . 

In this paper, we present a new approach based on Hoare Logic |Hoa69| and on weakest 
precondition calculus |Dij75| to generate constraints on parameters. A feature of this approach 
lies in the fact that specifications are partially described by a set of paths, seen as “programs.” 
Since this method avoids building the complete state graph, it results in a powerful tool to find 
out the constraints representing the set of consistent parameterizations with a tangible gain for 
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CPU time. Indeed, the weakest precondition computation which builds the constraints, goes 
through the “program” but is independent of the size of the gene network. 

Other works were undertaken with such objectives. The application of temporal logic to bi¬ 
ological regulatory networks was presented in |BCROQ4) . Constraint programming was used for 
biological systems in jBPCTOTj and these ideas were continued specifically for genetic regulatory 
networks in |Cor()81 ICTF + 09] . 

The paper is organized as follows. The basic concepts of Hoare logic and Dijkstra weak¬ 
est precondition are quickly reminded in Section [2] The formal definitions for discrete gene 
regulatory networks are given in Section [3} Section [4] gives the way to describe properties of 
states, then presents the path language, and finally introduces the notion of Hoare triplet. The 
semantics of these extended Hoare triples is given in Section [5j With the previous material, 
in Section [6] an extended Hoare logic for gene networks is defined for Thomas’ discrete mod¬ 
els. In Section ??, the example of the “incoherent feedforward loop of type 1” (made popular 
by Uri Alon in |SQMMA02l 1 mSQI + 0~2] ) highlights the whole process of our approach to find 
out the suitable parameter values. Section [8] contains a proof of correctness of our Hoare logic 
for gene networks as well as a proof of completeness based on the computation of the weakest 
precondition. We conclude in Section [9| 


2 Reminders on standard Hoare logic 


Hoare logic is a formal system for reasoning about the correctness of imperative programs. 
In |Hoa69j . C. A. R. Hoare introduced the notation “{P} pgm {Q}” to mean “If the assertion 
P (precondition) is satisfied before performing the program pgm and if the program terminates, 
then the assertion Q (postcondition) will be satisfied afterwards.” This constitutes de facto a 
specification of the program under the form of a triple, called the Hoare triple. 

In |Dij75| , E. W. Dijkstra has defined an algorithm taking the postcondition Q and the 
program pgm as input and computing the weakest precondition Po that ensures Q if pgm. ter¬ 
minates. In other words, the Hoare triple {Po} pgiTi {Q} is satisfied and, for any precondition 
P, {P} pgm {<5} is satisfied if and only if P =>- Po- 

Hoare logic and weakest preconditions are now widely known and teached all over the world. 
The basic idea is to stamp the sequential phases of a program with assertions that are infered 
according to the instruction they surround. There are several equivalent versions of Hoare logic 
and our prefered one is the following because it offers a simple proof strategy to compute the 
weakest precondition via a proof tree. Here, p , p\ and p 2 stand for programs, P, Pi, P 2 , / 
and Q stand for assertions, v stands for a declared variable of the imperative program, and 
Q[v <— expr] means that expr is substituted to each free occurrence of v in Q. 

Assignment rule: tttTV-tt -r 7 vr 

0 {Q[v<r-expr\\ v:=expr 

Sequential composition rule: {^2} P2 {Q} ^ 


Alternative rule: 


_{Pi} Pi {Q} {P2} pi {Q}_ 

{(eAPi)V(->eAP2)} if e then pi else p 2 {Q} 


Iteration rule: 


_{eAl} p {1} _ 

{/} while e with I do p {-ieA 1} 


Empty program rule: jpj ^ |q| (where £ stands for the empty program) 

There are standard additional rules: first order logic (to establish “P =8 Q” introduced by 
the Empty program rule), and in practice some reasonnings about the data structures of the 
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program (e.g. integers) in order to simplify the expressions as much as possible “on the fly” in 
the proof trees. 

The Iteration rule requires some comments. The assertion I is called the loop invariant and 
it is well known that finding the weakest loop invariant is undecidable [Hat, 741 iBnoT] . It has 
been included within the programming language for this reason; we ask the programmer to give 
a loop invariant explicitely after the with keyword, although it may appear redundant as it is 
also the precondition of the Hoare triple. By doing so, within a program, each while instruction 
carries its own (sub)specification and it can consequently be proved apart from the rest of the 
program. 

When using these Hoare logic rules, the following proof strategy builds a proof tree that 
performs the proof by computing the weakest precondition mm -. 

1. For each while statement within a Hoare triple 

{.P} pi ; while e with I do p 2 ; P 3 {Q} 

perform 3 independent sub-proofs: 

• { >e A 1} p 3 {Q} 

• {/} while e with / do p 2 {~<e A 1} (i.e. {e A 1} P 2 {/} according to the Iteration 
rule) 

• {P} Pi Ul 

This first step of strategy leads to proofs on subprograms that do not contain any while 
instruction. 

2. Apply the Sequential composition rule only when the program p 2 of this rule is reduced 
to an instruction, which leads to perform the proof starting from postcondition Q at the 
end and treat the instructions backward. 

3. Never apply the Empty program rule , except when the leftmost instruction has been 
treated, that is when all instructions have been treated. 

Since the Assignment rule , which is central, makes it possible to precisely define one pre¬ 
condition from its postcondition, and since the other rules relate (but do not evaluate) the 
conditions, the proof tree is done from the end to the beginning of the program and computes 
a unique assertion. By doing so, the precondition obtained just before applying the last Empty 
program rule is actually the weakest precondition (assuming that the programmer has given 
the weakest loop invariants). In the remainder of the article, we call this strategy the backward 
strategy. In Section ??, we always follow the backward strategy. 

The most striking feature of Hoare logic and weakest precondition is that proofs according 
to the backward strategy consist in very simple sequences of syntactic formula substitutions and 
end with first order logic proofs. Nevertheless, it is worth noticing that it is only a question of 
partial correctness since Hoare Logic does not give any proof of the termination of the analyzed 
program (while instructions may induce infinite loops). 

3 Discrete gene regulatory networks with multiplexes 

This section presents our modeling framework, based on the general discrete method of Rene 
Thomas (Td90l ITKOlj and introduced in [KCRB091 IKhalO| . 
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The starting point consists in a labeled directed graph in which vertices are either variables 
or multiplexes. Variables abstract genes or their products, and multiplexes contain propositional 
formulas that encode situations in which a group of variables (inputs of multiplexes) influence 
the evolution of some variables (outputs of multiplexes). Hence multiplexes represent biological 
phenomena, such as the formation of complexes to activate some genes. In the next definition, 
this labeled directed graph is formally defined, and it is associated with a family 1C of integers. 
As we will see later, these integers correspond to parameters that drive the dynamics of the 
network. 

Definition 3.1 A gene regulatory network with multiplexes ( GRN for short) is a tuple N = 
(V, M, Ey, Em, 1C) satisfying the following conditions: 

• V and M are disjoint sets, whose elements are called variables and multiplexes respec¬ 
tively. 

• N = (V U M, Ey U Em) is a labeled directed graph such that: 

— edges of Ey start from a variable and end to a multiplex, and edges of Em start from 
a multiplex and end to either a variable or a multiplex. 

— every directed cycle of N contains at least one variable. 

— every variable v of V is labeled by a positive integer b v called the bound ofv. 

— every multiplex m of M is labeled by a formula p m belonging to the language C m 
inductively defined by: 

— If v —>• m belongs to Ey and s £ IN belongs to the interval [1 ,b v \, then v > s is 
an atom of C m . 

— If rn' —> m belongs to Em then m! is an atom of C rn . 

— If ip and ip belong to C m then -*p, (ip A ip) and (p V ip) also belong to C m . 

• /C = {K V:U1 } is a family of integers indexed by v G V and u C V^ 1 (u), where -/V -1 (u) is 
the set of predecessors ofv in N (that is, the set of multiplexes m such that rn —> v is an 
edge of Em)- Each K V)U must satisfy 0 < K V)U] < b v . 

Notation 3.2 The flaten version of a formula (p m , denoted pp, is obtained by applying the fol¬ 
lowing algorithm: while the formula contains a multiplex atom ml, substitute rn! by its associated 
formula p> m ' ■ The formula pin exists since N has no directed cycle with only multiplexes. As a 
result, all the atoms ofpp are of the form v > s. 

A state is an assignment of integer values to the variables of V. Such an assignment allows 
a natural evaluation of any formula p rn : by replacing variables by their values, pp. becomes a 
propositional formula whose atoms are integer inequalities. 

Definition 3.3 (states, satisfaction relation and resources). Let N be a GRN and V be its set 
of variables. A state of N is a function ij : V —>• IN such that rj(v) < b v for all v G V. Let 

C be the set of propositional formula whose atoms are of the form v > s with v 6 V and s be 

a positive integer (so that <p m is a formula of C for every multiplex m of N). The satisfaction 
relation |=jv between a state g of N and a formula p of C is inductively defined by: 

• if p is reduced to an atom of the form v > s, then ij \=n P if and only if g(v) > s. 

• if p = ipi A ip 2 then g \ =n P if and only if g |=tv Vh and g \= at ip 2 / and we proceed similarly 

for the other connectives. 
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Given a variable v E V, a multiplex m E N l {v) is a resource of v at state rj if rj |=jv Pm- The 
set of resources of v at state rj is defined by p{rj,v) = {m E N~ l (y) \ rj |=/v pLi}- 

From a dynamical point of view, at a given state rj, each variable v is supposed to evolve 
in the direction of a specific level (between 0 and b v ) that only depends on the set p{rj,v). 
This focal level is given by the logical parameter K vp y lv y Hence, at state rj, v can increase if 
rj(v) < K v p ( v v \, it can decrease if rj(v) > K vp y ]v \ , and it is stable if rj(y) = K vp ( rj1 y . 

Suppose for instance that v has two input multiplexes m a b and m c d with formula (a > 1 Aft > 
1) and (c > 1 A d > 1) respectively. Then m a b and m c d may be seen as complexes (dimers) 
regulating the level of v. Suppose, in addition, that K v q = 0, K v ,{m ab } = Kv,{m cd } = 1 and 
K v ,{m, ah ,m r . d } = 2. Then, complexes m a b and m c d specify activator complexes, with an individual 
effect which is less than a cumulated effect (the focal level of v in the presence of a single complex 
is less than the focal level of v in the presence of both complexes). This example illustrates the 
fact that multiplexes encode combinations of variables that regulate a given variable, and that 
the parameters, by giving a weight to each possible combinations of multiplexes, indicate how 
multiplexes regulate a given variable. 

As in Thomas’ method |Td90ilTK01j . it is assumed that variables evolve asynchronously and 
by unit steps toward their respective target levels. The dynamics of a gene regulatory network 
is then described by the following asynchronous state graph. 


Definition 3.4 (State Graph). Let N = (V, M, Ey, Em , K,) be a GRN. The state graph of N 
is the directed graph S defined as follows: the set of vertices is the set of states of N, and there 
exists an edge (or transition) r] —» rj' if one of the following conditions is satisfied: 


• there is no v € V such that rj(v) K vp ( v , v \ and rj' = rj. 


• there exists v E V such that rj(v) / K v p / rt v \ and 


rj'(v) 


rj{v) + 1 if r](v) < K vAV)V) 
rj(v)-l if rj(v) > K v>pM 


and 


\/u / v, rj' (it) = rj{u). 


Hence a state g is a stable state if and only if it has itself as successor, that is, if and only if 
every variable is stable at state rj (i.e. rj{v) = K VjP r mv \ for every variable v). If 77 is not a stable 
state, then it has at least one outgoing transition. More precisely, for each variable v such that 
rj(v) 7 ^ K v p , v v) , there is a transition allowing v to evolve (±1) toward its focal level K v p y l v y 
Every outgoing transition of rj is supposed to be possible, so that there is an indeterminism as 
soon as rj has several outgoing transitions. An example is given in Figure [ 2 ] (see also Section [7] 
for another example). 


4 Pre- and post-conditions on path sets 

In order to formalize known information about a gene network, we introduce in this section a 
language to express properties of states (assertion language) and a language to express properties 
of state transitions (path language). Combining properties of state transitions and properties 
of states, at the beginning and at the end of a sequences of state transitions, leads to the notion 
of Hoare triplet on path programs. 

4.1 An assertion language for discrete models of gene networks 

To describe properties of states in a meaningful way, we need terms that allow us to check, com¬ 
pare and manipulate variable values while taking parameter values into account. The following 
definitions define a language suitable for such needs. It extends [KhalOj . 
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Definition 4.1 (Terms of the assertion language) Let N = (V,A.I,Ev,Em, 1C) be a GRN. The 
well formed terms of the assertion language of N are inductively defined by: 

• Each integer n € IV constitutes a well formed constant term 

• For each variable the name of the variable v, considered as a symbol, constitutes a 

well formed constant term. 

• Similarly, for each v € V and for each subset oj of N^ 1 ^), the symbol K ViW constitutes a 
well formed constant term. 

• If t and t! are well formed terms then (t + t') and (t — t') are also well formed terms. 

Definition 4.2 (Assertion language and its semantics) Let N = (V, M, Ey, Em, /C) be a GRN. 
The assertion language of N is inductively defined as follows: 

• If t and t! are well formed terms then (t = t'), (t < t'), (t > t'), (t < t') and (t > t') are 
atoms of the assertion language. 

• If p and if belong to the assertion language then -up, (p A if), (p\J if) and (ip =4> if) also 
belong to the assertion language. 

A state 7) of the network N satisfies an assertion p if and only if its interpretation is valid 
in Zj, after substituting each variable v by r/(v) and each symbol K v ^ by its value according to 
the family 1C. We note r/ |=at p. 

4.2 A path language for discrete models of gene networks 

The assertion language introduced above is a subset of first order logic well suited to describe 
properties on sets of states. It does not express dynamical aspects, since the dynamics of the 
system is encoded in the transitions of the state graph. A description of dynamical properties 
equates to a precise formulation of properties of paths. The language proposed here is suitable 
for encoding such properties. 

Definition 4.3 (Path language and path program) Let N = (V, M, Ey, Em, 1C) be a GRN. The 
path language of N is the language inductively defined by: 

• For each v 6 V and n G IN the expressions “v+ ”, “v—” and “v := n” belong to the path 
language (respectively increase, decrease or assignment of variable value). 

• If e is a formula belonging to the assertion language of N, then “assert(e) ” also belongs 
to the path language. 

• If pi and p 2 belong to the path language then (pi ; p-fi also belongs to the path language 
(sequential composition). Moreover the sequential composition is associative, so that we 
can write (pi ; pp, ■ ■ • ;p n ) without intermediate parentheses. 

• If pi and p 2 belong to the path language and if e is a formula belonging to the assertion 
language of N, then (if e then pi else p 2 ) also belongs to the path language. 

• If p belongs to the path language and if e and I are formulas belonging to the assertion 
language of N, then (while e with I do p) also belongs to the path language. The assertion 
I is called the invariant of the while loop. 

• If pi and p 2 belong to the path language then\/(pi,p 2 ) and ^(pi,p 2 ) also belong to the path 
language (quantifiers). Moreover the quantifiers are associative and commutative, so that 
we can write M(pi,p 2 , ■ ■ ■ ,p n ) and 3(pi,p2, ■ ■ ■ ,p n ) as useful abbreviations. 
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For technical purposes, we also consider the empty program “e” (outside the inductive defini¬ 
tion). A well formed expression in the path language is called a path program. 

Intuitivelly, “u+” (resp. “v—”, “v := n”) means that the level of variable v is increasing 
by one unit (resp. decreasing by one unit, set to a particular value n). l ‘assert(e) v allows one 
to express a property of the current state without change of state. The sequential composition 
allows one to concatenate two path programs whereas the statement “i/” allows one to choose 
between two programs according to the evaluation of the formula e. Finally it becomes possible 
to express properties of several paths thanks to the quantifiers V and 3. Lastly notice that e 
appears in a path program if and only if the path is reduced to the empty program. These 
intuitions will be formalized in Section [5l 

4.3 Syntax of pre- and post-conditions on path programs 

The next step is to combine properties of state transitions (path program) and properties of 
states (assertions), at the begining and at the end of the considered path program. This is done 
via the notion of Hoare triplet on path programs. 

Notation 4.4 A CRN N being given, a Hoare triple on path programs is an expression of the 
form “{P} p {Q}” where P and Q are well formed assertions, called pre- and post-condition 
respectively, and p is a path program. 

Intuitively, the precondition P describes a set of states, e.g. all states for which variable v has 
value zero (P = v = 0), the path program p describes dynamical processes, e.g. increase of 
variable v (p = u+), and the postcondition again describes a set of states, e.g. all states for 
which variable v has value one (Q = v = 1). This small example encodes the process of variable 
v changing its value from zero to one. Whether or not the expression is satisfied for a given 
gene network N depends on its state transition graph, thus it depends on the corresponding 
parameter values in 1C. 

5 Semantics of Hoare triples on path programs 

We firstly define the semantics of path programs via a binary relation. The general ideas that 
motivate the definition below are the following: 

• Starting from an initial state r/, sequences of instructions without existential or universal 
quantifier either transform 7] into another state rf or is not feasible so that rf is undefined. 
For example, the simple instruction v+ transforms r/ into rf (where Vu v,rf(u) = r)(u) 
and rf (v) = rj(v) + 1) if g —> rf exists. If, on the contrary, this transition does not exist, 
the instruction is not feasible. 

• Existential quantifiers induce a sort of “non determinism” about rf \ according to the chosen 
path under each existential quantifier one may get differents resulting states. Consequently, 
one cannot define the semantics as a partial function that associates a unique rf to r/; a 
binary relation u r) ^ ...” is a more suited mathematical object. 

• Universal quantifiers induce a sort of “solidarity” between all the states rf that can be 
obtained according to the chosen path under each universal quantifier: all of them will 
have to satisfy the postcondition later on. For this reason, we define a binary relation 
that associates a set of states E to the initial state g: u r] E”. Such a set E can be 
understood as grouping together the states it contains, under the scope of some universal 
quantifier. 
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• When the path program p contains both existential and universal quantifiers, we may 
consequently get several sets E\, - ■ ■, E n such that “77 E , each of the E t being a 
possibility through the existential quantifiers of p and all the states belonging to a given 
E t being together through the universal quantifiers of p. On the contrary, if p is not 
feasible, then there is no set E at all such that “77 E ” 

Notation 5.1 For a state p, a variable v and k G [0, b v \, we define p[v <— k] as the state rf such 
that p'(v) = k and for all u v, 7 /( 14 ) = 77 ( 74 ). 

Definition 5.2 [Path program relation 

Let N = ( V. M, Ey , Em • /C ) be a GRN, let S be the state graph of N whose set of vertices is 
denoted S and let p be a path program of N. The binary relation ■£> is the smallest subset of 
S x V(S) such that, for any state p: 

1. If p is reduced to the instruction u+ (resp. v—), then let us consider p' = 77 ( 7 ; •(— ( 77 ( 77 ) + 1)] 
(resp. ?/ = 77 ( 7 ; <— ( 77 ( 77 ) — l)\): if p p' is a transition of S then p { 7 /} 

2. If p is reduced to the instruction v := k, then p { 77 [v ■<— A:]} 

3. If p is reduced to the instruction assert(e), if p f=jv e, then p { 77 } 

4- If p is of the form V(pi,p 2 )' if P^ E\ and p ^3 E 2 then 77 (E\ U Efi) 

P\ P P‘2 P 

5. If p is of the form 3(pi,p2): if p ^ E\ then 77 E\, and if p ^ E 2 then p TL E 2 

6. If p is of the form (pv,P 2 )-' if p F and if {E e } e eF is a F-indexed family of state sets 

such that e & E e , then p (U e£ F E e ) 

7. If p is of the form (if e then p\ else p'fi)' 

• tf V \=N e and p E then p E 

• if V \/=N e and p E then p E 

8. If p is of the form (while e with I do po): 

• if V \=N e and p E then p E 

• if p |/=at e then p M 

9. If p is the empty program e, then p ^ { 77 } 

This definition calls for several comments. 

The relation exists because (i) the set of all relations that satisfy the properties 1-8 
of the definition is not empty (the relation which links all states to all sets of states satisfies 
the properties) and (ii) the intersection of all the relations that satisfy the properties 1-8, also 
satisfies the properties. 

A simple instruction such as 7 ;+ can be not feasible from a state 77 (if 77 —> p' is not a 
transition of S). In this case, there is no set E such that 77 E. The same situation happens 
when the program is an assertion that is evaluated to false at the current state 77 . 

Universal quantifiers “propagate” non feasible paths: if one of the pi is not feasible then 
V(pij * • • ,p n ) is not feasible. It is not the case for existential quantifiers: if 77 ^3 E x for one of 

the pi then 77 ^ p E> Pn ' 1 even if one of the pj is not feasible. 

When a while loop does not terminate, there does not exist a set E such that p E. 

p 

This is due to the minimality of the binary relation On the contrary, when the while loop 



terminates, it is equivalent to a program containing a finite number of the sub-program po in 
sequence, starting from p. 

The semantics of sequential composition may seem unclear for whom is not familiar with 

We better take an example to explain the construction of P A? 2 (see 


commutations of quantifiers. 
Figure [I]): 



Pl,P2 


gives: 



U E 3 
U E a 

U e 3 

U £4 


Figure 1: An example for the semantics of sequential composition 


p 1 

• Let us assume that starting from state p, two sets of states are reachable via p \: p ^ F\ = 
{p a ,Pb} and p^~> £2 = {p c }- It intuitively means that pi permits a choice between F\ and 
£2 through some existential quantifier on paths and that the path leading to F\ contains 
a universal quantifier grouping together p a and p b - 

• Let us also assume that: 

— starting from state p a , two sets of states are reachable via P 2 

— starting from state p b , two sets of states are reachable via P 2 

— there is not any set E such that p c ^> E 

When focusing on the paths of ( Pi]P 2 ) that encounter Fi after pi, the paths such that p\ leads 
to p a must be grouped together with the ones that leads to p b - Nevertheless, for each of them, 
P 2 permits a choice: between E± or E 2 for p a and between £3 or £4 for pb- Consequently, 
when grouping together the possible futures of p a and p b , one needs to consider the four possible 
combinations: p P AS 2 (E± U £3), p P ^% 2 (£1 U £4) p P ^% 2 (£2 U £3) and p P A? 2 (£2 U £4). 

Lastly, when focusing on the paths of ( Pi',P 2 ) that encounter £2 after p\. since p c has no future 
via p 2 , there is no family indexed by £2 as mentioned in the definition and consequently it adds 
no relation into P ^S 2 . 

Lastly, let us remark that, if p ^ E then £ cannot be empty; it always contains at least one 
state. The proof is easy by structural induction of the program p (using the fact that a while loop 
which terminates is equivalent to a program containing a finite number of the sub-program pq). 

Definition 5.3 (Semantics of a Hoare triple). Let N = (V, M, Ey, £^,/C) be a GRN and let S 
be the state graph of N whose set of vertices is denoted S. A Hoare triple {£} p {Q} is satisfied 
if and only if: 

for all p G S satisfying P, there exists E such that p E and for all p' 6 E, p' satisfies Q. 


: Pa & El and p a & £ 2 , 
: p b ^ £ 3 and p b & £ 4 , 


The previous definition implies the consistency of all the paths described by the path program 
p with the state graph: if path program p is not feasible from one of the states satisfying pre¬ 
condition P, then the Hoare triplet cannot be satisfied. For instance if some v+ is required by 
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Figure 2: (Left) Graphical representation of the GRN N = (V, M, Ey , Em , 1C) with V = {a, b}, 
the bounds of a and b are respectively 2 and 1, M = {pi, p 2 , P 3 }, <^1 is (a > 2), ip ti2 is 
(o > 1), </> M3 is “'0 > !)• Finally the family of integers is {K a $ = 1, = 1, iF a , {/i3 } = 2, 

/Va j^i ^s} = = 1, K b {^ 2 } = 1}. (Right) Representation of its state graph. 


the path program p but the increasing of v is not possible according to the state graph, then 
the Hoare triple is not satisfied. 

More generally the path language plays the role of the programming language in the classical 
Hoare Logic. A Hoare triplet is satisfied iff from the states satisfying the precondition, the 
program p is feasible and leads to a set of states where the postcondition is satisfied. The path 
program p can then be viewed as the sequence of actions one can use in order to modify the 
state (memory) of the system. 

Nevertheless, similarly to classical Hoare logic which reflects a partial correctness of im¬ 
perative programming language, the previous definition does not imply termination of while 
loops. Our path language can also define some infinite paths. Notice that if the non terminating 
while loop is at the end of the program, then it has a biological meaning: it represents periodic 
behaviours (such as the circadian cycle for instance). 

Examples. Let us consider the GRN of Figure [2] and its state graph. 

1. The Hoare triplet {(a = 0) A (b = 0)} a+; a+; b+ {(a = 2) A (b = 1)} is satisfied, because : 

• There is a unique state satisfying the precondition (a = 0) A (b = 0) and 

• from this state, the path program a+; a+; b+ is possible and leads to the state (2,1) 
and 

• the state (2,1) satisfies the postcondition (a = 2) A (b = 1). 

2. On the opposite, the Hoare triplet {(a = 2) A (b = 0)} &+; a—; a — {(a = 0) A (b = 1)} is 
not satisfied because from the state satisfying the precondition, the first “instruction” b+ 
is possible and leads to the state (2,1) from which the next instruction b— is not consistant 
with the state graph. 

3. The following Hoare triplet contains two existantial quantifiers and a universal one : 

{(a = 0) A (b = 0)} V(a+, 6+);3(a+, 6+); 3(e,6+) {(6 = 1)} 

• We have clearly (0,0) V(a .ii 6+ ) |(i ; 0 ), (0,1)} 

• Since (1,0) ^ + "* {(2,0)} and (1,0) ^ {(1,1)} and (0,1) ^ {(1,1)}, we 

have both (0,0) v ( a +'W(“+’ 6 +) {(1,1), (2,0)} and (0,0) ^ b +^ b +) {(1> 1)} . 

• We have trivially (1,1) 3 ^d + ' ) {(1,1)} 

• Moreover we have both (2,0) 3( '^d + ' ) {(2,0)} and (2,0) 3( '^d + ' ) {(2,1)} 
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• We deduce that the considered program p can lead to 3 differents set of states : 
(0,0) ^{(1,1), (2,0)}, (0,0)^ {(1,1)} and (0,0) ^ {(1,1), (2,1)}. 

Because the postcondition is satisfied in both states (1,1) and (2,1), see the last set of 
states which is in relation with (0,0), one can deduce that the Hoare Triplet is satisfied. 


6 A Hoare logic for discrete models of gene networks 

In this section, we define a “genetically modified” Hoare logic by giving the rules for each 
instruction of our path language (definition 4.3). First, let us introduce a few notations for 
intensively used formulas. 

Notation 6.1 Let N = (V, M, Ey, Em ,/C) be a GRN and let v be a variable ofV. 

1. For each subset uj of N~ 1 (v) (set of predecessors of v in the network), we denote by <3?^ 
the following formula: 

$v = ( A A ( A 

m £ ui m £ 7V -1 pj)\a; 


where iV _1 (u) \ uj stands for the complementary subset of uj in N _1 (n). 

From Definition 3.3, for all states p and for all variables v E V, rj \=n if and only if 

u: = p(p,v), that is, uj is the set of resources of v at state p. Consequently, there exists a 
unique uj such that p |=tv 


2. We denote by <F+ the following formula: 


4 >+ = 

^ V — 


A (* 

cjC G 1 (v) 




From Definition 3-4 • P \=N if and only if there is a transition (p 
the state graph S, that is, if and only if the variable v can increase. 


3. We denote by the following formula: 

= 

1 7 ! - 


A 

ajcG _1 (i;) 


Kv,ui ^ u) 


p[v v + 1]) in 


Similarly, p |=n 4^ if and only if the variable v can decrease from the state p in the state 
graph S. 


By the way, in practice, the assertion assert (4?=) is often useful from the biological point of 
view, where <3?= is obviously defined by: <3?= = ($“ => K V UJ = v) 

uCG _1 (») 

Our Hoare logic for discrete models of gene networks is then defined by the following rules, 
where v is a variable of the GRN and k G IV. 

1. Rules encoding Thomas’ discrete dynamics. 


Incrementation rule: 


{ $i!" A Q[v4-v+ 1] } v+ {Q} 


Decrementation rule: 


{ A Q[v*-v— 1] } v— {Q} 
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2. Rules coming from Hoare Logic. These rules are very similar to the ones given in Section[2j 
Obvious rules for the instruction assert (<f>) and the quantifiers are added: 


Assert rule: 

Universal quantifier rule: 

Existential quantifier rule: 
Assignment rule: 

Sequential composition rule: 


{ $ A Q } assert (<&) 

{ Q 

} 

{Pi} Pi {Q} 

{P2} 

P2 

{Q} 

{P1AP2} 

V(Pl,P2) - 

{Q\ 


{Pi} Pi {<?} 

{P 2 } 

P2 

{Q} 

{P1VP2} 

3(pi,P2) 

{Q} 


{Q[wt^k}} v:= 

--k M 



{P2} P 2 {Q} 

{Pi} 

pi 

{P 2 } 


{-Pi} pi;p2 {Q} 


Alternative rule: 


_ {Pi} Pi {Q} {P 2 } P 2 {Q} _ 

{(eAPi)V(-ieAP 2 )} if e then p\ else P 2 {Q} 


Iteration rule: 

Empty program rule: 


_{eA 1} p {/}_ 

{/} while e with I do p {-<e/\ 1} 


P =» Q 

{P} ^ {Q} 


3. Axioms. These axioms assert that all values stay between their bounds, where v is a 
variable of the GRN N and u C IV -1 (u): 

Boundary axioms: 0 < v 

V < by 

0 < K v ,u 
b v 


Remark 6.2 

• =>■ v < b v ) can be derived from the previous rules. Indeed, implies that for 1 j 
corresponding to the current set of resources, K V 0J > v and, using the boundary axiom 
Kv,u < b v , we get v < b v . 

• Similarly, we have => v > 0. 

These implications will be used in section ??. 

We will prove in Section [8] that this modified Hoare logic is correct, and that it is complete 
provided that the path program under consideration contains the weakest loop invariants for all 
while statements. More precisely, the proof strategy called backward strategy , already described 
at the end of Section [2j also applies here: It computes the weakest precondition. Before giving 
these two proofs, let us show in the next section the usefulness of our genetically modified Hoare 
logic via the formal study of the possible biological functions of a very simple network. 


7 Example 


In [SUMMA021 lMSOI+n2| Uri Alon and co-workers have studied the most common in vivo 
patterns involving three genes. Among them, they have enlightened the “incoherent feedforward 
loop of type 1”. It is composed by a transcription factor a that activates a second transcription 
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factor c, and both a and c regulate a gene 6: a is an activator of b whereas c is an inhibitor of 
b. There is a “short” positive action of a on b and a “long” negative action via c: a activates 
c which inhibits b. The left hand side of Figure [3] shows such a feedforward loop. Considering 
that both thresholds of actions of a are equal leads to a boolean network since, in that case, the 
variable a can take only the value 0 (a has no action) or 1 (a activates both b and c). The right 



Figure 3: Boolean incoherent feedforward of type 1. At right, graphical representation of the 
GRN N = (V,M,Ev,Em,K-) with V = {a, 6, c}, the bounds of a, b and c are equal to 1, 
M = {Z, A, cr}, (j)i is (a > 1), <fi\ is (~i(c > 1)), <j> a is (a > 1). Finally the family of integers is 
{-^a,0> -^e,0j Kc, { i } , K b $, Eb,{( r}; -^Q>,{A}; 


hand side of the figure shows the corresponding GRN with multiplexes: a encodes the “short” 
action of a on b, whilst l followed by A constitute the “long” action. 

Several authors, like Uri Alon, consider that if a is equal to 0 for a sufficiently long time, both 
b and c will also be equal to 0, because b and c need a as a resource in order to reach the state 1. 
They also consider that the function of this feedforward loop is to ensure a transitory activity 
of b that signals when a has switched from 0 to 1: the idea is that a activates the productions 
of b and c, and then c stops the production of b. 

Here, we take a look at this question via four different path programs, and we prove formally 
that this affirmation is only valid under some constraints on the parameters of the network, and 
only under the assumption that b starts its activity before c. 

Is a transitory production of b possible? As already stated, the function classically asso¬ 
ciated with the feedforward loop is to ensure a transitory activity of b that signals when a has 
switched from 0 to 1. An interesting question is under which conditions the previous property is 
true ? For example the path program 

(1) Vi = (6+; c+; 6—) 

together with the pre-condition P = (a = 1 A 6 = 0 A c = 0) and the post-condition 
Qo = {6 = 0}, is a possible formalization of the previous property about the behaviour of the 
feedforward loop. The backward strategy using our genetically modified Hoare logic on this 
example gives the following successive conditions. 

• The weakest precondition obtained through the last instruction “6—” is the following 
conjunction: 


*^6 A Qo[b ■<— 6 — 1] 


(— i — i (c > 1) A -'(a > 1 )) ==>• Kb < 6 
( -l-l (c > 1) A (a > 1)) =>• Kb,a < b 
< (=(c > 1) A -i(a > 1)) K bi x < b 

(=(c > 1) A (a > 1)) K b .cr\ < b 
s 6 - 1=0 
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which simplifies as the conjunction Q\\ 


Q 1 = 


6=1 

((c > 1 ) A (a < 1 )) 
((c > 1 ) A (a > 1 )) 
((c < 1 ) A (a < 1 )) 
((c < 1 ) A (a > 1 )) 


K b = 0 
Kb,a = 0 
K b , a = o 
Kb (7 A = 0 


Then, the weakest precondition obtained through the instruction “c+” is: 


A Q\ [c <— c + 1 ] = < 


~ 1 (a > 1) ==> K c > c 
a > 1 => K c i > c 
6 = 1 

((c+ 1 > 1) A (a < 1)) 
((c+1 > 1) A(o> 1)) 
((c+ 1 < 1) A (a < 1)) 
((c+ 1 < 1) A (a > 1)) 


K b = 0 
Kb, a = 0 
Kb, a = o 
Kb.rrX = 0 


which simplihes as Q 2 owing to the boundary axioms and remarks 6.2 


Q 2 = 


c = 0 


a < 1 = 

- /+ = 1 

a > 1 = 

=* K c i = 1 

6=1 


a < 1 = 

=> /+ = 0 

a > 1 = 

0 

II 

b 


Lastly, the weakest precondition obtained through the first “6+” of the program is: 


A Q2[b 4 — 6+1] 


(— 1 —i(c > 1) A —1 (a > 1)) =+> Kb > 6 
(— 1 —.(c > 1) A (a > 1)) =>- Kb, a > 6 
(=(c > 1) A =(o > 1)) =+ K b , a > 6 
(^(c > 1) A (a > 1)) =+> K b , a \ > 6 
c = 0 

a < 1 =>- K c = 1 
a > 1 =>- K c ,i = 1 

6+1 = 1 


0 < 1 =+ Kb = 0 
. a > 1 =>- K b ,a = 0 


which simplifies as Q 3: 


Q 3 


a < 1 ==>- /h,a = 1 
a > 1 K h (jX = 1 
c = 0 

a < 1 ==> K c = 1 
a > 1 => /L c j = 1 
6 = 0 

a < 1 ==> life = 0 
a > 1 => K h fJ = 0 


Then, using the empty program rule, it comes P =+> Q3 i.e. (a = 1 A 6 = 0 A c = 0 ) =>• Q3 
and after simplification we get the correctness if and only if K b , a \ = 1 and K c ,i = 1 and 
Kb, a = 0 . This proves that, whatever the values of the other parameters, the system can exhibit 
a transitory production of 6 in response to a switch of a from 0 to 1. 
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Is a transitory production of 6 possible without increasing c? The previous program 
V\ is not the only one reflecting a transitory production of b, there may be other realisations of 
this property. For example one can consider the path program : 

(2) P 2 = (&+;&-). 

With respect to this path program, the weakest precondition obtained through the last instruc¬ 
tion “6—” is of course Q i as previously. Then, the weakest precondition obtained through “6+” 
is: 

' 6 = 0 

((c > 1) A (a < 1)) => {{K b = 1) A (K b = 0)) 

Qi = ((c > 1) A (a > 1)) =>• ((K bj<7 = 1) A {K b(J = 0)) 

((c < 1) A (a < 1)) => ((K b , A = 1) A (K biX = 0)) 

, ((c < 1) A (a > 1)) => ({Kb,a a = 1) A {K ba \ = 0)) 

Qi is of course not satisfiable: it implies that each parameter associated with 6 is both equal to 
0 and 1. The path program (6+;6—) is not feasible (inconsistent weakest precondition). Indeed, 
we retrieve an obvious property of the Thomas’ approach: if 6 has no negative action on itself 
then the sequence (6+;6—) cannot arise because the resources of 6 must change in order to 
switch its direction of evolution. 

Another possible path compatible with the path program (6+, c+, 6—). Let us notice 
that, when K b , a \ = 1, K c j = 1 and K bjU = 0, even if the system can exhibit a transitory 
production of 6 via (6+; c+; 6—), this does not prevent from some other paths that do not 
exhibit this behaviour. For example the simple path Vj, = c+ leaves 6 constantly equal to 0, 
and the Hoare triplet 

a=l A 6 = 0 A c = 0A 
Kb,a\ = 1 A K c j = 1 A K b(J = 0 

is satisfied, as the corresponding weakest precondition Q b is clearly implied by the precondition. 

{ c = 0 

a = 0 =$■ K c = 1 
a = 1 =>- K C) i = 1 
6 = 0 

When a is constantly equal to 1 and when c = 1, production of 6 is impossible. 

Even worst: when a is constantly equal to 1, once c has reached the level 1, it is impossible for 
6 to increase to 1. We prove this property by showing that the following triplet is inconsistent, 
whatever the loop invariant I : 

(3) < a . 1 ^ ^ j ^ C 1 ^ 1 while 6<1 with I do 3(6+,6—,c+,c—) { 6 = 1 } 

I -t*-b,cr A 1 7 ^ J s -^ 

V A 

The subprogram 3(6+, 6—, c+, c—) reflects the fact that a stays constant but 6 or c evolves. The 
while statement allows 6 and c to evolve freely until 6 becomes equal to 1. 

Applying the Iteration rule, / has to satisfy: 

• =( 6 < 1 ) AI=> (6 = 1 ) 

This property is trivially satisfied whatever the assertion I, due to the boundary axioms. 


Q 5 = a Qo\ c c + l] 



ir, 



• {b < 1 A 1} 3(6+, 6-, c+, c-) {/} 

We apply the existential quantifier rule, which gives the following weakest precondition: 
Q 6 = ($+A/[6^6+1])V($^A/[6^6-1])V($+A/[c^c+1])V($"A/[c^c-1]) 
Consequently I can be any assertion such that 

(6 = 0 A I) =+> Q§ 

Let us denote P the precondition of the path program V±. Applying the empty program rule, it 
comes that I must also satisfy P =+ I. So, because P => (6 = 0), we have P ==> (6 = 0 A I), 
which, in turn implies Qq. Moreover, let us remark that 

Qe => ($+ V V <F+ V $-) 

Consequently, if the Hoare triple [3] is correct, then: 

P =+ (T+v$ fe -v$+v$-) 

which is impossible because, if P is satisfied, then: 

• is false, as a = 1, c = 1 and I\b, a = 0 (indeed, implies a = lAc=l + Kb,a > 0) 

• is false, as 6 = 0 (3>^ implies 6 > 0) 

• d>+ is false, as c = 1 (<3?+ implies c < 1) 

• is false, as a = 1, c = 1 and Ji C) / = 1 ($“ implies a = lAc=l + K c j < 1). 

So, we have formally proved that when a is constantly equal to 1, once c has reached the level 
1, it is impossible for 6 to increase to 1. 


8 Partial Correctness and Completeness 

’’Partial” has to be understood here as ’’Assuming that the while loops terminate”, as usual in 
Hoare logic. 


8.1 Correctness 

Correctness of our modified Hoare logic means that: if h {P} p {Q} according to the inference 
rules of Section [fij then the Hoare triple {P} p {Q} is semantically satisfied according to 
Definition |5.3[ i.e.: for all i) € S (S being the set of states of S ) such that rj (=jy P there exists 
E C S such that rj E and Vr/ € E, rj (=jv Q- 

The proof is made as usual by induction on the proof tree of h {P} p {Q}. Hence, we 
have to prove that each rule of Section [6] is correct. Here we develop only the Incrementation 
rule and the Sequential composition rule since the correctness of the other inference rules is 
either similar ( Decrementation rule ) or trivial ( Assert rule, quantifier rules , Assignment rule 
and Empty program rule ) or standard in Hoare Logic ( Alternative rule and Iteration rule). Let 
us note that the correctness of the Sequential composition rule is neither trivial nor standard 
because its semantics is enriched to cope with the quantifiers. 

Let IV be a GRN and let r) be any state of the associated state space S: 


Incrementation rule: 


{ $+ A Q[rR-r+1] } v+ {Q} 


From Definition 5.3, the hypothesis is: 


(where v is a variable of the GRn) 
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H 1 ] |=tv and rj |=jv Q[v v + 1 ] 


and we have to prove the conclusion: 

C there exists H C S such that 77 E and Vr/ € E, rf |=jv Q 


Let us choose E = {77'} with rf = ry[n -<— 77(77) + 1 ]. From Notation 6.1, the hypotesis 
77 |= tv (ft i s equivalent to ( 7 / —> rj') G S, which in turn, according to Definition 5.2, implies 
77 Xi { 77 '}. Hence, it only remains to prove that rf \=n Q, which results from the hypothesis 
v Hv Q[v v + 1 ]. □ 


Sequential composition rule: 


{P2 } p 2 \Q} \Pi } pi mi 

{Hi} pi;p 2 {<9} 


From Definition 5.3, we consider the following three hypotheses: 


H\ for all 771 G 5 such that 771 |=jv Hi there exists Hi such that 771 Hi and VV G 
Hi, rf |=tv P 2 


Hi for all 772 G 5 such that 772 |=tv H 2 there exists H 2 such that 772 H 2 and V 77 " G 

H 2 , 77" Q 

V |=JV Hi 


H 


and we have to prove the conclusion: 


C there exists E C S such that 77 P P% 2 E and V 77 " G H, rf' \=n Q 
Let us arbitrarily choose a set Hi such that 77 Hi and Mr]' G Hi, 77 ' H 2 (we know 


that Hi exists from 


Hi 


and Hi 


For each rf G E\ , we similarly choose a set E '2 such that: 


H 2 


rf H2 and \/r]" G Ef , 77" (= tv Q (we know that the family {Hg }r?'e-Ei exists from 
and the fact that 77' |= tv H2 for all 77' G E 2 ) 

Let H = ((Jr/'eEi ^2 )> we have: 77 p -^ 2 H from Definition 5.2 and V 77 " G H, 77 " |= tv Q 
(from the way the union is built). □ 


8.2 Weakest precondition 


Completeness of Hoare logic would be of course defined as follows: If the Hoare triple {H} p {Q} 
is satisfied (according to Definition 5.3) then b {H} p {Q} (using the inference rules of Section]!] 
as well as first order logic and proofs on integers). 


Obviously, as such, Hoare logics cannot be complete because, as already mentioned for 
classical Hoare logic, finding the weakest loop invariants is undecidable and there is no complete 
logic on integers (Godel). So, following Dijkstra |Dij75| , we prove completeness under the 
assumptions that the loop invariants of all luhile statements are weakest invariants and that the 
needed properties on integers are admitted. We adopt the strategy that computes the weakest 
precondition and we will prove the following theorem: 


Theorem 8.1 (Dijkstra theorem on the genetically modified Hoare logic) A GRN N and a Hoare 
triple {H} p {Q} being given, the backward strategy defined at the end of Section [!|, with the 
inference rides of Section [h| computes the weakest precondition Ho just before the last inference 
that uses the Empty program rule. 

It means that: if {H} p {Q} is satisfied, then P => Hq is satisfied. 
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This theorem has an obvious corrolary: 

Corollary 8.2 A GRN N being given, our modified Hoare logic is complete under the assumption 
that all given loop invariants are the weakest ones and that the needed properties on integers are 
established. 

Proof of the corollary: if {P} p {Q} is satisfied, then, from the Dijkstra theorem above, 
there is a proof tree that infers the Hoare triple if there is a proof tree for the property P =>• Pq 
(which is semantically satisfied because Po is the weakest precondition). First order logic being 
complete and properties on integers being axiomatically assumed, the proof tree for P => Po 
exists. □ 


Proof of Dijkstra theorem: 

Under the hypotheses that all loop invariants are minimal and that the Hoare triple {P} p {Q} 
is satisfied, i.e., under the hypotheses: 


H i 


for all r/ satisfying P, there exists E such that p E and for all rj e E, rf satisfies Q 


H 2 for all while statements of p, the corresponding loop invariant / is the weakest one 


one has to prove the conclusion: 


C P =>■ Po is satisfied, where Po is the precondition computed by the proof of {P} p {Q} 
according to the backward strategy with the inference rules of Section [6j 

The proof is done by structural induction according to the backward strategy on p. 

• If p is of the form while e with I do p', then, by construction of the backward strategy, 
applying the Iteration rule, we get Pq = I, and the conclusion results immediately from 


H 2 


If p is of the form u+, then the only set E such that p E is E = {p[v ■(—?;+ 1]}. The 
hypothesis H\ becomes: 


H\ for all p satisfying P, rj = p[v 4— v + 1] satisfies Q and p —> rf is a transition of S 


and from the Incrementation rule, the conclusion becomes: 


C P => (<&+ A Q[v v + 1]) is satisfied. 


So, H 


1 


C straightforwardly results from the definition of < F ? ,+ (Notation 6.1) and we 


do not use 


H 2 


If p is of the form pi',p 2 , then we firstly inherit the two structural induction hypotheses: 


H 3 for all assertions P' and Q ', if {P'} p\ {Q'} is satisfied then P' =A Pi is satisfied, 
where Pi is the precondition computed from Q' via the backward strategy 

for all assertions P" and Q", if {P''} p 2 {Q”} is satisfied then P" => P 2 is satisfied, 
where P 2 is the precondition computed from Q" via the backward strategy 


II 


Moreover the hypothesis H\ becomes (Definition 


5.2): 
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for all 11 satisfying P. there exists a family of state sets P = {E e } e g_p such that F 
and e & E e for all e G F and for all r/ € E = (U e eF E e ), vf satisfies Q 


Lastly, from the Sequential composition rule, the conclusion becomes: 


C 


P =4> P\ is satisfied, where Pi is the weakest precondition of {• • •} p\ {P 2 }, P 2 being 
the weakest precondition of {• • •} p 2 {Q}- 


From 


//4 | (with Q" = Q) it results that all the states e £ F of hypothesis H 1 satisfy 

H;> I (with Q' = P 2 and P 7 = P) it 


P 2 . Consequently {P} p\ {P 2 } is satisfied. Thus, from 
comes P => Pi, which proves the conclusion. 


• Similarly to the correctness proof, we do not develop here the other cases of the structural 
induction. They are either similar to already developed cases ( Decrementation rule) or 
trivial ( Assert rule, quantifier rules, and Assignment rule) or standard in Hoare Logic 
(.Alternative rule). 


This ends the proof. 


□ 


9 Discussion 

The cornerstone of the modeling process lies, whatever the application domain, in the deter¬ 
mination of parameters. In this paper, we proposed an approach for exhibiting constraints on 
parameters of gene network models, that relies on the adaptation of the Hoare logic, initially 
designed for proofs of imperative programs. It leads to several questions about its usability and 
implementations. 

9.1 Language issues 

The path language is a way to describe formally the specification of correct models of gene 
networks. Classically, the specifications can be expressed in temporal logics, like CTL and LTL, 
which also allows the modeler to take into account behavioral information. But even if there 
exists some links between path language and temporal logics, these formal languages (temporal 
logics and path language) are not comparable: some properties can be expressed in the path 
language and not in classical temporal logics and converselly. 

• On the one hand, in the path program, the assignment instruction allows one to express a 
knock-out of a gene (v := 0). Such knock-out of a gene is not expressible in CTL or LTL. 

• On the other hand, CTL or LTL is able to express properties on infinite cyclic traces. Such 
properties on infinite traces would be expressed in the path language by a program which 
does not terminate, and consequently, the post-condition would not make sense. 

Nevertheless, a succession of incrementation/decrementation instructions corresponds to a prop¬ 
erty that can be expressed in the CTL language. For example, if one knows the starting 
point, say (ui = 1 A V2 = 0), the path program v\+; U2+; v\ — corresponds to the formula 
EX(y 1 = 2 A EX(y 2 = 1 A EX{v\ = 1 A »2 = 0))). Correctness of this program path 
with the precondition (ui = 1 A V 2 = 0) becomes equivalent to verify that the CTL formula 
(ui = 1 A V2 = 0) =>- EX{y 1 = 2 A EX(v2 = 1 A EX(v 1 = 1 A V2 = 0))) is true in all possible 
states. More generally, the path language is well suited for sequential properties whereas CTL 
can express non sequential ones. 
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# initializing 

T3:=l; T4:=l; d3:=l; d.2: =0; gi:=0; gp: =0; gt:=0; tr:=0; 

# evolutions 

gi+; d2+; T3+; tr+; T3+; gp+; d3-; gt+; 


/ (T 3 = 1) A \ 


( EX((gi = 1)A \ 

(T 4 = 1) A 


EX{(d2 = 1) A 

(d3 = 1) A 


EX{{T3 = 2) A 

(d2 = 0) A 

—V 

EX((tr = 1) A 

(gi = 0) A 


EX((T3 = 3)A 

{gp = 0) A 


EX{{gp = 1)A 

(. gt = 0) A 


EX{{d3 = 0)A 

V (tr = 0) j 


l Ex{ g t = mm) y 


Figure 4: A path program (top) with its corresponding CTL formula (bottom) 


In the path language, invariants of while loops are mandatory: Hoare logic is able to prove 
a program with while statements only if invariants are given. In other words, the entire infor¬ 
mation that the Hoare logic needs to perform the proof, is given by invariants. Unfortunately, 
invariants are difficult to devise. Thus the while statements are often used in proofs by refuta¬ 
tion, where the proof is done for each possible invariant, see our example of section ??. 

9.2 Plateform issues 

The Hoare logic for gene networks has been designed in order to support a software which aims 
at helping the determination of parameters of models of gene networks. We have already done 
its proof of feasability. Indeed, after having developped a prototype named SMBioNet which 
enumerates all possible valuations of parameters and retains only those which are coherent with 
a specified temporal logic formula, we developped a new prototype called WP-SMBioNet |KhalO] , 
which uses a path program and the Weakest Precondition calculus (backward strategy) to pro¬ 
duce constraints on parameters. 

In order to compare both approaches (CTL formulae versus path programs), we consider 
a property which can be expressed in both temporal logic CTL and path program. When 
modeling the biological system triggering the tail resorption during the metamorphose of tadpole, 
see [TTB + 07] and references therein, the expression profiles of |LB77] can be translated into 
a path program, see Fig [4j which in turn can be translated into an equivalent CTL formula. 
For this example, whereas SMBioNet needs more than 3 hours to selects among all possible 
parameterizations those which lead to a dynamics coherent with the CTL formula, WP-SMBioNet 
needs only 10 seconds (on the same computer) to construct the constraints on the parameters. 
If we ask the enumeration of the parameters satisfying the constraints (using Choco |cT10| ). the 
total search time is about 2 minutes. This example shows that the Hoare logic can speed up the 
determination of coherent parameterizations. 

We can notice that the complexity of the weakest precondition calculus is linear with the 
number of instructions in the path program, and does not depend on the size of gene regulatory 
networks: each node of the syntaxic tree of the program is visited only once. At the opposite, 
the CTL model checking algorithm depends on the size of the network. Thus, the use of path 
program instead of CTL formula leads to postpone the enumeration step which then can use 
the constraints on parameters to cut down drastically the set of parameterizations to consider. 

A software plateform dedicated to analysis of gene regulatory networks, should have to 
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combine different technics. Indeed constraints solving technics are necessary to enumerate pa¬ 
rameters or give counter-examples, theorem prover can be also useful to get strategies for proofs 
by refutation, and model checking technics and Hoare logic precondition calculus should be 
combined in order to give very efficient algorithm. As already noted, it seems natural to use 
Hoare logic when the behavioural specification focuses on a finite time horizon, whereas model 
checking is natural when the temporal specification expresses global properties on infinite traces. 


It would be interesting to complete this plateform with some improved features. From a 
theoretical point of view, one could also develop approaches to help finding loop invariants. To 
build them, it seems possible to adapt the iterative approach adopted in ASTREE CCF+05 


but in another context (abstract interpretation |CC04j ): Pragmatically one begins with a sim¬ 
ple invariant I, then one tries to make the proof and completes iterativelly and partially the 
invariant. From an application point of view, specifications often stem from DNA profiles, it 
would be valuable to develop a program that automatically produces path programs from DNA 
chips data. Two questions emerge: the choice of thresholds on which is based the discretization 
of expression levels, and the determination of good time steps. These questions are out of the 
scope of this article. They mainly rely on biological expertise and experimental conditions. 
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